#!/bin/bash
# Pre-commit hook to check for unpinned Docker images
# Prevents commits with unpinned images, providing immediate feedback

set -euo pipefail

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

VIOLATIONS=0

echo "🔍 Checking Docker image pinning..."

# Check Dockerfiles
if git diff --cached --name-only | grep -qE '^Dockerfile|/Dockerfile'; then
    echo "  Checking Dockerfiles..."
    for file in $(git diff --cached --name-only | grep -E '^Dockerfile|/Dockerfile'); do
        if [ -f "$file" ]; then
            # Check FROM statements without @sha256
            if grep -n "^FROM.*:.*[^@]$" "$file" | grep -v "@sha256:" >/dev/null 2>&1; then
                echo -e "${RED}  ❌ $file: FROM statement missing SHA digest${NC}"
                grep -n "^FROM" "$file" | grep -v "@sha256:"
                VIOLATIONS=$((VIOLATIONS + 1))
            fi
        fi
    done
fi

# Check docker-compose files
if git diff --cached --name-only | grep -qE 'docker-compose.*\.ya?ml'; then
    echo "  Checking docker-compose files..."
    for file in $(git diff --cached --name-only | grep -E 'docker-compose.*\.ya?ml'); do
        if [ -f "$file" ]; then
            # Skip cookiecutter templates and examples
            if [[ "$file" =~ cookiecutter-docker/ ]] || [[ "$file" =~ examples/ ]]; then
                continue
            fi

            # Check image: lines without @sha256 (excluding own image)
            if grep -n "image:.*:.*[^@]$" "$file" 2>/dev/null | \
               grep -v "localdeepresearch/local-deep-research" | \
               grep -v "@sha256:" >/dev/null 2>&1; then
                echo -e "${RED}  ❌ $file: image reference missing SHA digest${NC}"
                grep -n "image:" "$file" | grep -v "@sha256:" | grep -v "localdeepresearch/local-deep-research"
                VIOLATIONS=$((VIOLATIONS + 1))
            fi
        fi
    done
fi

# Check workflow files (basic check - detailed validation happens in CI)
if git diff --cached --name-only | grep -qE '^\.github/workflows/.*\.ya?ml'; then
    echo "  Checking workflow files..."
    for file in $(git diff --cached --name-only | grep -E '^\.github/workflows/.*\.ya?ml'); do
        if [ -f "$file" ]; then
            # Look for image: lines in services or container blocks
            if grep -B2 "image:" "$file" 2>/dev/null | grep -E "services:|container:" >/dev/null 2>&1; then
                # Check if any image lines lack @sha256
                if grep -A2 -B2 "image:" "$file" 2>/dev/null | \
                   grep "image:" | grep -v "@sha256:" | grep -qE "image:.*:"; then
                    echo -e "${YELLOW}  ⚠️  $file: May have unpinned service containers${NC}"
                    echo "     (Full validation will run in CI)"
                fi
            fi
        fi
    done
fi

echo ""

if [ $VIOLATIONS -gt 0 ]; then
    echo -e "${RED}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
    echo -e "${RED}❌ Found $VIOLATIONS unpinned images${NC}"
    echo -e "${RED}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
    echo ""
    echo "Images must use SHA256 digests for supply chain security."
    echo ""
    echo "To fix:"
    echo "  1. Pull: docker pull <image:tag>"
    echo "  2. Get digest: docker inspect <image:tag> | jq -r '.[0].RepoDigests[0]'"
    echo "  3. Update: image: <image:tag>@sha256:..."
    echo ""
    echo "Example:"
    echo -e "  ${RED}# Bad${NC}"
    echo "  FROM python:3.13-slim"
    echo ""
    echo -e "  ${GREEN}# Good${NC}"
    echo "  FROM python:3.13-slim@sha256:326df678c20c78d..."
    echo ""
    exit 1
fi

echo -e "${GREEN}✅ All Docker images properly pinned${NC}"
exit 0
